Today I upgraded 2 of my 4 machines from RELENG_7 to RELENG_8. Both of the 2 machines are just LDAP clients. My LDAP server is still running on RELENG_7, and the remained one is also a LDAP client. All of them were installed OpenLDAP-2.4.21 and nss_ldap-1.265_3.
Before I upgrades my system, everything works properly. I added a group named `group1' on LDAP server, and then add a user named `user1' to this group. I can type `id user1' to see the following line: uid=3000(user1) gid=3000(user1) groups=3000(user1),10000(gorup1) Of course, now the following record is already my LDAP server: -- dn: cn=group,ou=group,dc=mydomain,dc=org objectClass: posixGroup cn: group1 gidNumber: 10000 memberUid: user1 -- After I upgraded these 2 machines from RELENG_7 to RELENG_8, to type `id user1' could only show the following information: uid=3000(user1) gid=3000(user1) groups=3000(user1) This user's supplementary group was gone, and he couldn't write any group-writable files which had gid 10000 one the 2 machines. But in my other 2 machines that running on RELENG_7, this problem is still not occured. I have logged the behaviors of RELENG_7 & RELENG_8. Here is the behavior when I type `id user1' on RELENG_7: -- conn=1007 op=2 SRCH base="ou=people,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=user1))" conn=1007 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass conn=1007 op=3 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup))" conn=1007 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=1007 op=4 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))" conn=1007 op=4 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=1007 op=4 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))" conn=1007 op=4 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=1007 op=4 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=10000))" conn=1007 op=4 SRCH attr=cn userPassword memberUid uniqueMember gidNumber -- In step 2, it tries to fetch out the full group list from my LDAP server. According to this information, it can know what user1's supplementary groups are. RELENG_8: -- conn=1008 op=2 SRCH base="ou=people,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=user1))" conn=1008 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass conn=1008 op=3 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))" conn=1008 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber conn=1008 op=3 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))" conn=1008 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber -- It never tried to get the group list from LDAP server, hence it's impossible to know user1's supplementary groups. The client settings on RELENG_7 & RELENG_8 are fully consistent, so I don't think it's the problem of my config files. Since my 4 machines use the same version of nss_ldap, to downgrade nss_ldap's version for testing is meaningless. Should this problem is a base system's bug? _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
